A
Allen Undercover
Hello,
I have a WIN2K domain, which was set up to allow allow normal users to add
computers to the domain. Everything was working ok for years, until an
Active Directory restore was performed, now only Administrators can add
computers to the Domain. Normal users get the error "Access is Denied".
Things I have checked:
* Default Domain Policy - "Authenticated Users" have the "Add workstation to
domain" right
* Active Directory Users and Computers - Computers container has "Create
Computer Objects" and "Delete Computer Objects" checked for "Authenticated
Users"
* Active Directory ms-DS-MachineAccountQuota is set to a big number(10000)
The NetSetup.log for a failed attempt from a WIN2K workstation is pasted
below. I am baffled, and welcome advice.
Regards,
Allen
8 12:52:22 -----------------------------------------------------------------
08/28 12:52:22 NetpDoDomainJoin
08/28 12:52:22 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:22 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:22 NetpMachineValidToJoin: status: 0x0
08/28 12:52:22 NetpJoinDomain
08/28 12:52:22 Machine: LCACER
08/28 12:52:22 Domain: dynalite.com.au
08/28 12:52:22 MachineAccountOU: (NULL)
08/28 12:52:22 Account: dynalite.com.au\terry
08/28 12:52:22 Options: 0x27
08/28 12:52:22 OS Version: 5.0
08/28 12:52:22 Build number: 2195
08/28 12:52:22 ServicePack: Service Pack 4
08/28 12:52:22 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:22 NetpCheckDomainNameIsValid [ Exists ] for 'dynalite.com.au'
returned 0x0
08/28 12:52:22 NetpValidateName: name 'dynalite.com.au' is valid for type 3
08/28 12:52:22 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:25 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:25 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:25 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:26 NetpManageMachineAccountWithSid: NetUserAdd on
'\\nightmare.dynalite.com.au' for 'LCACER$' failed: 0x5
08/28 12:52:26 NetpJoinDomain: status of creating account: 0x5
08/28 12:52:26 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:26 NetpLsaOpenSecret: status: 0x0
08/28 12:52:26 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:26 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:26 NetpDoDomainJoin: status: 0x5
08/28
12:52:26 -----------------------------------------------------------------
08/28 12:52:26 NetpDoDomainJoin
08/28 12:52:26 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:26 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:26 NetpMachineValidToJoin: status: 0x0
08/28 12:52:26 NetpJoinDomain
08/28 12:52:26 Machine: LCACER
08/28 12:52:26 Domain: dynalite.com.au
08/28 12:52:26 MachineAccountOU: (NULL)
08/28 12:52:26 Account: dynalite.com.au\terry
08/28 12:52:26 Options: 0x25
08/28 12:52:26 OS Version: 5.0
08/28 12:52:26 Build number: 2195
08/28 12:52:26 ServicePack: Service Pack 4
08/28 12:52:26 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:26 NetpCheckDomainNameIsValid [ Exists ] for 'dynalite.com.au'
returned 0x0
08/28 12:52:26 NetpValidateName: name 'dynalite.com.au' is valid for type 3
08/28 12:52:26 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:29 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:29 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:29 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:30 SamOpenDomain on S-1-5-21-979185461-1960865544-1481510878
failed with 0xc0000022
08/28 12:52:30 NetpJoinDomain: status of setting machine password: 0x5
08/28 12:52:30 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:30 NetpLsaOpenSecret: status: 0x0
08/28 12:52:31 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:31 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:31 NetpDoDomainJoin: status: 0x5
I have a WIN2K domain, which was set up to allow allow normal users to add
computers to the domain. Everything was working ok for years, until an
Active Directory restore was performed, now only Administrators can add
computers to the Domain. Normal users get the error "Access is Denied".
Things I have checked:
* Default Domain Policy - "Authenticated Users" have the "Add workstation to
domain" right
* Active Directory Users and Computers - Computers container has "Create
Computer Objects" and "Delete Computer Objects" checked for "Authenticated
Users"
* Active Directory ms-DS-MachineAccountQuota is set to a big number(10000)
The NetSetup.log for a failed attempt from a WIN2K workstation is pasted
below. I am baffled, and welcome advice.
Regards,
Allen
8 12:52:22 -----------------------------------------------------------------
08/28 12:52:22 NetpDoDomainJoin
08/28 12:52:22 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:22 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:22 NetpMachineValidToJoin: status: 0x0
08/28 12:52:22 NetpJoinDomain
08/28 12:52:22 Machine: LCACER
08/28 12:52:22 Domain: dynalite.com.au
08/28 12:52:22 MachineAccountOU: (NULL)
08/28 12:52:22 Account: dynalite.com.au\terry
08/28 12:52:22 Options: 0x27
08/28 12:52:22 OS Version: 5.0
08/28 12:52:22 Build number: 2195
08/28 12:52:22 ServicePack: Service Pack 4
08/28 12:52:22 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:22 NetpCheckDomainNameIsValid [ Exists ] for 'dynalite.com.au'
returned 0x0
08/28 12:52:22 NetpValidateName: name 'dynalite.com.au' is valid for type 3
08/28 12:52:22 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:25 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:25 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:25 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:25 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:25 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:26 NetpManageMachineAccountWithSid: NetUserAdd on
'\\nightmare.dynalite.com.au' for 'LCACER$' failed: 0x5
08/28 12:52:26 NetpJoinDomain: status of creating account: 0x5
08/28 12:52:26 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:26 NetpLsaOpenSecret: status: 0x0
08/28 12:52:26 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:26 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:26 NetpDoDomainJoin: status: 0x5
08/28
12:52:26 -----------------------------------------------------------------
08/28 12:52:26 NetpDoDomainJoin
08/28 12:52:26 NetpMachineValidToJoin: 'LCACER'
08/28 12:52:26 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:26 NetpMachineValidToJoin: status: 0x0
08/28 12:52:26 NetpJoinDomain
08/28 12:52:26 Machine: LCACER
08/28 12:52:26 Domain: dynalite.com.au
08/28 12:52:26 MachineAccountOU: (NULL)
08/28 12:52:26 Account: dynalite.com.au\terry
08/28 12:52:26 Options: 0x25
08/28 12:52:26 OS Version: 5.0
08/28 12:52:26 Build number: 2195
08/28 12:52:26 ServicePack: Service Pack 4
08/28 12:52:26 NetpValidateName: checking to see if 'dynalite.com.au' is
valid as type 3 name
08/28 12:52:26 NetpCheckDomainNameIsValid [ Exists ] for 'dynalite.com.au'
returned 0x0
08/28 12:52:26 NetpValidateName: name 'dynalite.com.au' is valid for type 3
08/28 12:52:26 NetpDsGetDcName: trying to find DC in domain
'dynalite.com.au', flags: 0x1020
08/28 12:52:29 NetpDsGetDcName: failed to find a DC having account
'LCACER$': 0x525
08/28 12:52:29 NetpDsGetDcName: found DC '\\nightmare.dynalite.com.au' in
the specified domain
08/28 12:52:29 NetpJoinDomain: status of connecting to dc
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:29 NetpGetLsaPrimaryDomain: status: 0x0
08/28 12:52:29 NetpLsaOpenSecret: status: 0xc0000034
08/28 12:52:30 SamOpenDomain on S-1-5-21-979185461-1960865544-1481510878
failed with 0xc0000022
08/28 12:52:30 NetpJoinDomain: status of setting machine password: 0x5
08/28 12:52:30 NetpJoinDomain: initiaing a rollback due to earlier errors
08/28 12:52:30 NetpLsaOpenSecret: status: 0x0
08/28 12:52:31 NetpJoinDomain: rollback: status of deleting secret: 0x0
08/28 12:52:31 NetpJoinDomain: status of disconnecting from
'\\nightmare.dynalite.com.au': 0x0
08/28 12:52:31 NetpDoDomainJoin: status: 0x5